Sample app

.gitignore

@@ -57,8 +57,10 @@
 /wolfssl*
 
 IDE/Android/android-ndk-r26b/
-IDE/Android/openssl/
+IDE/Android/openssl-source/
 IDE/Android/openssl-install/
-IDE/Android/wolfssl/
+IDE/Android/wolfssl-source/
 IDE/Android/wolfssl-install/
-IDE/Android/wolfProvider/
+IDE/Android/wolfProvider/
+
+examples/openssl_example

IDE/Android/README.md

@@ -41,3 +41,18 @@ Providers:
 ```
 
 An alternate way of running `build.sh` is within a Docker environment. This can avoid unwanted local changes to your system by wrapping the environment in a container. Simply launch Docker with `docker run --rm -it -v $(pwd)/../../:/ws -w /ws/IDE/Android ubuntu:22.04 ./build.sh`. This should start the script and build everything in the local folder. Then you can take the `run.sh` script and run it from your host environment.
+
+# build.sh options
+There are a few environment flags that can be passed to the script to modify its execution. This section details the functionality.
+
+## AUTO_INSTALL_TOOLS
+This setting will run on a Debian system the required commands to install the dependencies of this script.
+
+## CLEAN_BUILD
+This will remove previous sources and binaries in the folder to have a clean start.
+
+## USE_FIPS
+This sets WolfSSL to use the FIPS version. Note some algorithms are turned off as they are not FIPS certified (ie: ed25519 and ed448).
+
+### USE_FIPS_CHECK
+If you have access to the official FIPS GitHub repository, you can use that as the source. Generally it is intended for internal use.

IDE/Android/build.sh

@@ -1,55 +1,110 @@
 #!/bin/bash
 
-set -e
 WORKSPACE=$(pwd)
 
+function checkReturn() {
+    if [ "$1" != "0" ]; then
+        echo "Error on line ${BASH_LINENO[0]}: $1"
+        exit $1
+    fi
+}
+
 AUTO_INSTALL_TOOLS=${AUTO_INSTALL_TOOLS:-true}
 if [ "${AUTO_INSTALL_TOOLS}" == "true" ]; then
+    echo "=== Installing prerequisite tools ==="
     DEBIAN_FRONTEND=noninteractive apt update && apt install -y git make autoconf libtool android-tools-adb unzip wget
+    checkReturn $?
 fi
 
 # https://developer.android.com/ndk/downloads/
 export ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT:-${WORKSPACE}/android-ndk-r26b}
 if [ ! -e ${ANDROID_NDK_ROOT} ]; then
-    wget -q https://dl.google.com/android/repository/android-ndk-r26b-linux.zip
-    unzip android-ndk-r26b-linux.zip
+    echo "=== Installing Android NDK ==="
+    wget -q https://dl.google.com/android/repository/android-ndk-r26b-linux.zip && \
+        unzip android-ndk-r26b-linux.zip
+    checkReturn $?
 fi
 PATH="${ANDROID_NDK_ROOT}/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH"
 
+if [ "${CLEAN_BUILD}" = "true" ]; then
+    rm -rf ${WORKSPACE}/openssl-* ${WORKSPACE}/wolfssl-*
+fi
+
 # Compile OpenSSL
-export OPENSSL_ALL_CIPHERS="-cipher ALL -ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256"
-if [ ! -e ${WORKSPACE}/openssl ]; then
-    git clone https://github.com/openssl/openssl.git ${WORKSPACE}/openssl
-    cd ${WORKSPACE}/openssl && \
+if [ ! -e ${WORKSPACE}/openssl-install ]; then
+    OPENSSL_BRANCH=${OPENSSL_BRANCH:-"master"}
+    echo "=== Installing OpenSSL ==="
+    export OPENSSL_ALL_CIPHERS="-cipher ALL -ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256"
+    git clone https://github.com/openssl/openssl.git --branch=${OPENSSL_BRANCH} ${WORKSPACE}/openssl-source && \
+        cd ${WORKSPACE}/openssl-source && \
         ./Configure android-x86_64 --prefix=${WORKSPACE}/openssl-install && \
         sed -i 's/-ldl//g' Makefile && \
         sed -i 's/-pie//g' Makefile && \
         make -j && \
         make -j install
+    checkReturn $?
 fi
 export LD_LIBRARY_PATH="${WORKSPACE}/openssl-install/lib64:$LD_LIBRARY_PATH"
 
 # Compile WolfSSL
-export WOLFSSL_CONFIG_OPTS='--enable-debug --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 --enable-aesgcm-stream --enable-curve25519 --enable-curve448 --enable-ed25519 --enable-ed448 --enable-pwdbased'
-export WOLFSSL_CONFIG_CPPFLAGS=CPPFLAGS="-I${WORKSPACE}/openssl-install -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DFP_MAX_BITS=16384 -DWOLFSSL_DH_EXTRA -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
 export UNAME=Android
 export CROSS_COMPILE=${ANDROID_NDK_ROOT}/toolchains/llvm/prebuilt/linux-x86_64/bin/x86_64-linux-android34-
-export CC=x86_64-linux-android34-clang
-if [ ! -e ${WORKSPACE}/wolfssl ]; then
-    git clone https://github.com/wolfssl/wolfssl ${WORKSPACE}/wolfssl
-    cd ${WORKSPACE}/wolfssl && \
-        ./autogen.sh && \
-        ./configure ${WOLFSSL_CONFIG_OPTS} "${WOLFSSL_CONFIG_CPPFLAGS}" -prefix=${WORKSPACE}/wolfssl-install --host=x86_64-linux-android --disable-asm CFLAGS=-fPIC && \
-        make -j install
+if [ ! -e ${WORKSPACE}/wolfssl-install ]; then
+    echo "=== Installing WolfSSL ==="
+    export WOLFSSL_CONFIG_OPTS='--enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 --enable-aesgcm-stream --enable-pwdbased'
+    export WOLFSSL_CONFIG_CPPFLAGS=CPPFLAGS="-I${WORKSPACE}/openssl-install -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DFP_MAX_BITS=16384 -DWOLFSSL_DH_EXTRA -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER"
+    if [ "${USE_FIPS}" = "true" ]; then
+        WOLFSSL_CONFIG_OPTS+=' --enable-fips=ready'
+        if [ "${USE_FIPS_CHECK}" = "true" ]; then
+            git clone https://github.com/wolfssl/wolfssl ${WORKSPACE}/wolfssl && \
+                cd ${WORKSPACE}/wolfssl && ./fips-check.sh fips-ready keep && \
+                mv ${WORKSPACE}/wolfssl/XXX-fips-test ${WORKSPACE}/wolfssl-source && \
+                rm -rf ${WORKSPACE}/wolfssl && \
+                cd ${WORKSPACE}/wolfssl-source && ./autogen.sh
+            checkReturn $?
+        else
+            wget -O ${WORKSPACE}/wolfssl-fips.zip https://www.wolfssl.com/wolfssl-5.6.4-gplv3-fips-ready.zip && \
+                cd ${WORKSPACE} && unzip wolfssl-fips.zip && \
+                mv ${WORKSPACE}/wolfssl-5.6.4-gplv3-fips-ready ${WORKSPACE}/wolfssl-source && \
+                rm ${WORKSPACE}/wolfssl-fips.zip
+            checkReturn $?
+        fi
+    else
+        WOLFSSL_CONFIG_OPTS+=' --enable-curve25519 --enable-curve448 --enable-ed25519 --enable-ed448'
+        git clone https://github.com/wolfssl/wolfssl ${WORKSPACE}/wolfssl-source && \
+            cd ${WORKSPACE}/wolfssl-source && ./autogen.sh
+        checkReturn $?
+    fi
+    cd ${WORKSPACE}/wolfssl-source && \
+        CC=x86_64-linux-android34-clang ./configure ${WOLFSSL_CONFIG_OPTS} "${WOLFSSL_CONFIG_CPPFLAGS}" -prefix=${WORKSPACE}/wolfssl-install --host=x86_64-linux-android --disable-asm CFLAGS=-fPIC && \
+        make
+    checkReturn $?
+    if [ "${USE_FIPS}" = "true" ]; then
+        adb push --sync src/.libs/libwolfssl.so ./wolfcrypt/test/.libs/testwolfcrypt /data/local/tmp/ && \
+        NEWHASH=$(adb shell "LD_LIBRARY_PATH=/data/local/tmp /data/local/tmp/testwolfcrypt 2>&1 | sed -n 's/hash = \(.*\)/\1/p'") && \
+        sed -i "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c && \
+        checkReturn $?
+    fi
+    make -j install
+    checkReturn $?
 fi
 export LD_LIBRARY_PATH="${WORKSPACE}/wolfssl-install/lib:$LD_LIBRARY_PATH"
 export LIBRARY_PATH="${WORKSPACE}/wolfssl-install/lib:$LIBRARY_PATH"
 
+echo "=== Installing wolfProvider ==="
+
 # If running in wolfProvider/IDE/Android, then 'ln -s ../../ wolfProvider'
 if [ ! -e ${WORKSPACE}/wolfProvider ]; then
     git clone https://github.com/wolfssl/wolfProvider ${WORKSPACE}/wolfProvider
+    checkReturn $?
 fi
 cd ${WORKSPACE}/wolfProvider && \
     ./autogen.sh && \
-    ./configure --with-openssl=${WORKSPACE}/openssl-install --with-wolfssl=${WORKSPACE}/wolfssl-install --host=x86_64-linux-android CFLAGS="-lm -fPIC" --enable-debug && \
+    CC=x86_64-linux-android34-clang ./configure --with-openssl=${WORKSPACE}/openssl-install --with-wolfssl=${WORKSPACE}/wolfssl-install --host=x86_64-linux-android CFLAGS="-lm -fPIC" --enable-debug && \
     make -j
+checkReturn $?
+
+${CROSS_COMPILE}clang ${WORKSPACE}/wolfProvider/examples/openssl_example.c -I ${WORKSPACE}/openssl-install/include/ -L ${WORKSPACE}/openssl-install/lib/ -lcrypto -o ${WORKSPACE}/wolfProvider/examples/openssl_example
+checkReturn $?
+
+exit 0

IDE/Android/run.sh

@@ -7,7 +7,17 @@ WORKSPACE=$(pwd)
 rm -rf ${WORKSPACE}/openssl-install/share
 rm -rf ${WORKSPACE}/openssl-install/ssl/misc/tsget
 
-adb push --sync ${WORKSPACE}/openssl-install ${WORKSPACE}/wolfssl/src/.libs/libwolfssl.so ${WORKSPACE}/wolfProvider/.libs/libwolfprov.so ${WORKSPACE}/wolfProvider/provider.conf ${WORKSPACE}/wolfProvider/scripts run_helper.sh /data/local/tmp/.
+adb push --sync ${WORKSPACE}/openssl-install \
+        ${WORKSPACE}/openssl-source/test/evp_test \
+        ${WORKSPACE}/wolfssl-install/lib/libwolfssl.so \
+        ${WORKSPACE}/wolfProvider/.libs/libwolfprov.so \
+        ${WORKSPACE}/wolfProvider/provider.conf \
+        ${WORKSPACE}/wolfProvider/scripts \
+        ${WORKSPACE}/run_helper.sh \
+        ${WORKSPACE}/wolfProvider/examples/openssl_example \
+        ${WORKSPACE}/run_openssl.sh \
+        /data/local/tmp/.
 
 adb shell "cd /data/local/tmp/ && ./run_helper.sh"
 
+adb shell "cd /data/local/tmp/ && ./run_openssl.sh"

IDE/Android/run_helper.sh

@@ -36,7 +36,7 @@ EVP_TESTS=(
 for T in ${EVP_TESTS[@]}
 do
     printf "\t\t$T ... "
-    ${RUNDIR}/openssl/test/evp_test -config ${RUNDIR}/provider.conf \
+    ${RUNDIR}/evp_test -config ${RUNDIR}/provider.conf \
         ${RUNDIR}/scripts/evp_test/$T \
         >$T.log 2>&1
     if [ "$?" = "0" ]; then

IDE/Android/run_openssl.sh

@@ -0,0 +1,8 @@
+RUNDIR=/data/local/tmp/
+export LD_LIBRARY_PATH=${RUNDIR}:${RUNDIR}/openssl-install/lib
+export OPENSSL_MODULES=${RUNDIR}
+export OPENSSL_CONF=${RUNDIR}/provider.conf
+${RUNDIR}/openssl-install/bin/openssl list -provider-path ${RUNDIR} -providers -verbose
+#${RUNDIR}/openssl-install/bin/openssl help list
+
+${RUNDIR}/openssl_example

README.md

@@ -113,5 +113,5 @@ To run automated unit tests:
 ### Integration Tests
 
 To run the cipher suite testing:
-* ./scripts/wp-cs-test.sh
+* ./scripts/test-wp-cs.sh
 

examples/openssl_example.c

@@ -0,0 +1,52 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/params.h>
+#include <openssl/provider.h>
+#include <openssl/err.h>
+
+int main(void)
+{
+    /*
+    OSSL_PROVIDER *legacy;
+    OSSL_PROVIDER *deflt;
+
+    // Load Multiple providers into the default (NULL) library context
+    legacy = OSSL_PROVIDER_load(NULL, "legacy");
+    if (legacy == NULL) {
+        printf("Failed to load Legacy provider\n");
+        exit(EXIT_FAILURE);
+    }
+    deflt = OSSL_PROVIDER_load(NULL, "default");
+    if (deflt == NULL) {
+        printf("Failed to load Default provider\n");
+        OSSL_PROVIDER_unload(legacy);
+        exit(EXIT_FAILURE);
+    }
+    OSSL_PROVIDER_unload(legacy);
+    OSSL_PROVIDER_unload(deflt);
+    */
+
+    // Rest of application
+
+	OSSL_PROVIDER *prov = NULL;
+	const char *build = NULL;
+	OSSL_PARAM request[] = {
+	    { "buildinfo", OSSL_PARAM_UTF8_PTR, &build, 0, 0 },
+	    { NULL, 0, NULL, 0, 0 }
+	};
+
+	if ((prov = OSSL_PROVIDER_load(NULL, "libwolfprov")) != NULL
+	    && OSSL_PROVIDER_get_params(prov, request))
+	    printf("Provider 'libwolfprov' buildinfo: %s\n", build);
+	else
+	    ERR_print_errors_fp(stderr);
+
+    if (OSSL_PROVIDER_self_test(prov) == 0)
+        printf("Provider selftest failed\n");
+    else
+        printf("Provider selftest passed\n");
+
+    OSSL_PROVIDER_unload(prov);
+    exit(EXIT_SUCCESS);
+}

scripts/test-openssl.sh

@@ -22,6 +22,10 @@
 # Execute this script from: wolfProvider
 #set -e
 
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source ${SCRIPT_DIR}/utils-openssl.sh
+source ${SCRIPT_DIR}/utils-wolfssl.sh
+
 do_cleanup() {
     echo "Cleanup"
 }
@@ -34,9 +38,6 @@ do_trap() {
 
 trap do_trap INT TERM
 
-source ${PWD}/scripts/utils-openssl.sh
-source ${PWD}/scripts/utils-wolfssl.sh
-
 #
 # evp_test
 #
@@ -87,6 +88,8 @@ source ${PWD}/scripts/utils-wolfssl.sh
 #   evppkey_kdf_scrypt.txt - SCRYPT not supported
 #   evppkey_sm2.txt - SM2 not supported
 #   evprand.txt - random is HashDRBG and internals not accessible.
+#   evppkey_rsa_common.txt
+#   evppkey_rsa.txt
 
 evp_test_run() {
     printf "\tTesting with evp_test:\n"
@@ -115,8 +118,6 @@ evp_test_run() {
         evppkey_kdf_hkdf.txt
         evppkey_kdf_tls1_prf.txt
         evppkey_mismatch.txt
-        evppkey_rsa_common.txt
-        evppkey_rsa.txt
     )
 
     for T in ${EVP_TESTS[@]}
@@ -247,7 +248,7 @@ WOLFPROV_DIR=$PWD
 WOLFPROV_CONFIG=$WOLFPROV_DIR/provider.conf
 WOLFPROV_PATH=$WOLFPROV_DIR/.libs
 LOGDIR=$WOLFPROV_DIR/scripts/log
-LOG_FILE=$LOGDIR/dependencies.log
+LOG_FILE=$LOGDIR/test-openssl.log
 export OPENSSL_MODULES=$WOLFPROV_PATH
 
 if [ ! -d "$LOGDIR" ]; then
@@ -280,18 +281,18 @@ printf "LD_LIBRARY_PATH: $LD_LIBRARY_PATH\n"
 # Set up wolfProvider
 cd ${WOLFPROV_DIR}
 if [ ! -e "${WOLFPROV_DIR}/configure" ]; then
-    ./autogen.sh &>> $LOG_FILE
-    ./configure --with-openssl=${OPENSSL_INSTALL_DIR} --with-wolfssl=${WOLFSSL_INSTALL_DIR} &>> $LOG_FILE
+    ./autogen.sh >>$LOG_FILE 2>&1
+    ./configure --with-openssl=${OPENSSL_INSTALL_DIR} --with-wolfssl=${WOLFSSL_INSTALL_DIR} >>$LOG_FILE 2>&1
 fi
-make -j$NUMCPU &>> $LOG_FILE
+make -j$NUMCPU >>$LOG_FILE 2>&1
 if [ $? != 0 ]; then
   printf "\n\n...\n"
   tail -n 40 $LOG_FILE
   do_cleanup
   exit 1
 fi
 
-make test &>> $LOG_FILE
+make test >>$LOG_FILE 2>&1
 if [ $? != 0 ]; then
   printf "\n\n...\n"
   tail -n 40 $LOG_FILE